7 Ways to Bolster Your Cyber Security (2024 Update)

In an earlier article, we introduced the Notifiable Data Breach (NDB) Scheme which provides a compulsory procedure for agencies and organisations (including small businesses) to follow in the event of a data breach. However, prevention is better than cure, and having tools in place to minimise a data breach from occurring will do your business a world of good. But where to start? Here are seven steps and strategies to prepare and boost your cyber security. In the meantime, it may also be wise to read OAIC’s resources as well as consult a privacy lawyer for professional advice.

1. Governance, Culture and Training

Insufficient interest or awareness of cyber-security among staff may lead to threats of data breaches being ignored and not properly attended to. Therefore, it is important to foster a privacy and security-conscious culture among your staff through appropriate training, resourcing and management focus, such as:

  • Compulsory induction training sessions on cyber-security for new staff.
  • Regular cyber-security training sessions for regular staff.
  • Appointing a body or officer(s) who oversees, enforces and also trains staff on the business’s cyber-security policy.

2. Internal Practices, Procedures and Systems

Whereas the previous step focused on the culture and awareness of cyber-security (‘soft’ strategy), this current step is about enforcing rules and policy (‘hard’ strategy’). In general, your cyber-security policy should cover or require:

  • Mandatory procedure (mirroring the NDB Scheme) on how to identify and report data breaches.
  • Procedures for oversight, accountability and lines of authority for decisions relating to personal information security.
  • Procedures for the storage of sensitive information at work and at home.
  • Minimum standards and rules relating to use of end-user mobile devices and ‘Bring Your Own Device’ (BYOD).

According to the APP code, the internal practices and procedures of your business must be documented, regularly reviewed and updated.

3. ICT Security

This refers to measures which protect both your hardware and software from misuse, interference, loss, unauthorised access, modification and disclosure. ICT security covers:

  • Software Security and Encryption: this includes your website and applications
  • Network Security: This includes firewalls, detection system, blocking unauthorised downloads and WiFi security
  • Whitelisting and Blacklisting: This involves controlling the content, application or entities that are allowed to run on or access a device or network
  • Testing: Regular testing will help you discover any security weakness or configuration reviews
  • Backing Up and Email Security: Obtaining physical hard copies or cloud-based storage as back-up

4. Access Security

This involves monitoring controls that protect your firm’s data from unauthorised access by hackers. Measures include:

  • Truster Insider Risk: This includes limiting disclosure of personal information to those staff necessary to enable your business to carry out its functions and activities.
  • Identity Management & Authentication: This helps to delineate between authorised and also unauthorised accessors.
  • Passwords & Pass-Phrases: Involves having minimum length and character requirements, regular password updates, and also shared or unique passwords for staff.

5. Physical Security

This covers steps which prevent unauthorised physical access to both your soft and hard copies of your business’s data. Measures could include:

  • Alarm systems (i.e. to control entry to workplace)
  • Location and lock security of file storage rooms
  • Camera systems (i.e. to detect unauthorised accessors)

6. Third Party Providers

If you use cloud service providers or other third parties to store your data, it is important that you understand their information handling practices (including terms and conditions) so as to ascertain any risks and protect yourself accordingly.

7. Destruction and Self-Identification

Where an entity holds personal information it no longer needs for a purpose that is permitted under the APPs, it must ensure that it takes reasonable steps to destroy or de-identify the personal information.

Therefore, you should consider establishing a procedure for the destruction of electronic (e.g. disk formatting) and physical data (e.g. shredding or burning). Whatever destruction method you use, the APP Code requires for the destroyed data to become ‘beyond use’ and ‘irretrievable’.

Conclusion

It is important that you establish or improve your cyber-security so that you can identify and respond effectively to future data breaches in line with the NDB Scheme. However, if you have adequate measures in place, you may be able to avoid any breaches occurring.

Most Popular Articles
You may also like
Recent Articles

Get the latest news

By clicking on 'Sign up to our newsletter' you are agreeing to the Lawpath Terms & Conditions

Share:

Register for our free live webinar today!

Understanding ASIC Compliance: Essential Knowledge for Australian Startups

12:00pm AEDT
Wednesday 28th February 2024

By clicking on 'Register for webinar' you are agreeing to the Lawpath Terms & Conditions

You may also like

An ombudsman can help you if you have a complaint about a business or government agency. Read on to learn about the processes involved in having your issue heard.
An addendum to a contract is a great way of altering the effects of an existing contract without destroying the original agreement.
A summary judgment is a judgment issued against one party without a trial taking place. Find out here when a summary judgment may be issued.

Thank you!

Your registration is confirmed. Keep an eye on your inbox for an email with details on how to watch the webinar.